GitGuardian Shield Version

1.5.0

• I can reproduce this bug in the latest version

Command executed

ggshield scan ci

Describe the bug

ggshield scan ci creates a cache file causing potential conflicts with unclean state in workers

Expected behavior

ggshield scan ci should not create a cache file

In other word, should we add .cache_ggshield to gitignore?

GitGuardian Shield Version

1.5.0

• I can reproduce this bug in the latest version

Command executed

ggshield scan repo https://github.com/GitGuardian/gg-shield.git

Describe the bug

Scan arrives at 100% and stays there for a while

Expected behavior

Scan arrives at 100% and results are displayed

Context

• Only the scan requests are behind the progress bar
• Trimming has added an overhead to this.
• The progress bar should include documents being processed

• Add support for codefresh

Technical Implementation

• To research

On scanning patches scan repo , scan ci we get pre and post context which can help in side by side comparison.

Why

• To know on a scan patch operation if the result is an addition, modif or deletion.

Technicals

On json output these 2 get merged into a single line_start, line_end , index_start, index_end.

For this feature these should be split into:

• pre_line_start
• pre_line_end
• post_line_start
• post_line_end

These can be int or None. If they are absent they should not be deserialized (may bloat JSON too much)

Retrocompatibility concerns

• line_start, line_end , index_start, index_end should be kept as they are

Allow banlisting of detectors through config and CLI.

Definition of done:

• Add repeated cli option to banlist detectors --banlist-detector
• Add .gitguardian.yaml config option banlisted-detectors (list)
• Merge the two and filter out results

Is your feature request related to a problem? Please describe.

I want to scan packages (before publishing them to a registry but also be able to download from a registry and scan the package for secrets)

Describe alternatives you've considered

Maybe scanning a tar.gz since a package is a path. Maybe path should support compressed directory and ggshield should handle the decompression.

Commands

• ggshield scan pypi <package-name>

Given a package-name, ggshield will attempt to pull from pip the wheel and then scan the full archive

• ggshield scan archive <archive_path>

Given an archive path, ggshield will attempt to download the archive if an url and then scan the full archive.

Is your feature request related to a problem? Please describe.

Allow the users to control the number of workers used by ggshield.

Describe the solution you'd like

• add --workers flag to scan
• Keep existing behavior for default value
• override if this flag is set

Is your feature request related to a problem? Please describe.

I want to be able to scan docker images saved on my platform or pulling them from

Describe the solution you'd like

• [ ] ggshield scan docker <IMAGE NAME>

1. Downloads image (tries) if not available
2. Export layers
3. Scan each layer's fs diff
4. Present results by layer

Run ggshield scan in a directory/Repository with malicious git.exe in it on Windows

Actual Behavior

It executes malicious git.exe in the repo while scanning

Expected Behavior

It should not execute code/binary from repo unintentionally

Why

• It is nice to know when quota has been cleared without going to the dashboard

Definition of done

• Implement /v1/quotas support to py-gitguardian
• Implement ggshield quotas, displaying available to use
• Display up to implementer's

Is your feature request related to a problem? Please describe.

Exclude common directories such as **/vendor/**/*, **/node_modules/**/* without relying on .gitignore for these.

Describe the solution you'd like

• Add boolean flag (enabled by default) --default-excludes to scan mode
• Add boolean config (enabled by default) default-excludes
• Research other patterns to add by default
• Add these patterns by default to exclude list

Is your feature request related to a problem? Please describe.
when ggshield does not detect secret and the verbose mode is not set, there is no output and the cli only returns a zero no error code. Although it is compliant with linux tool philosophy, it is not always clear for our users / customers that the scanning was successful and that there are no leaks.

Describe the solution you'd like
This issue goal is more to track the output issue and think about it. To tackle the lack of information described above, we can either always output a clear message like "No leak found" even if the verbose mode is not set, or we can make the verbose mode set by default.

Hello,

I have a repository that was reported with a false positive by your tool.

threax/Threax.Pipelines@e8469b8#diff-e44d6862ce5abdbd548f53f8aa1e02acR93

This is not a problem. I have a function that builds connection strings with this inside. You should address this with your tool in some fashion. The YOU HAVE A SECURITY PROBLEM spam wasn't much appreciated.

Thanks,
Andrew

Is your feature request related to a problem? Please describe.

When scanning 50 (or more as the limit can be set) commits, we can reach the GitHub pre-receive timeout (4.5 seconds on ggshield / 5 seconds on GitHub).
When using Gitlab, this is not an issue and we can afford to have more time.

Describe the solution you'd like
Allow timeout to be specified using env (GGSHIELD_PRERECEIVE_TIMEOUT) or cli (--prereceive-timeout).

Describe alternatives you've considered
N/A

Additional context
N/A

FPM is a tool to help creating packages: https://github.com/jordansissel/fpm

Definition of Done

• FPM is setup to build rpm and deb packages
• The release process uploads packages to Cloudsmith repositories
• The installation process of Cloudsmith repositories is documented in the "Installation" section of the README

Describe the solution you'd like

I would like a codefresh integration for gg-shield so that I can have secret detection job in my codefresh pipelines
https://codefresh.io/

GitGuardian Shield Version

• I can reproduce this bug in the latest version

Command executed

ggshield scan -v ci

Describe the bug

When running ggshield scan -v ci using its docker image in gitlab CI, the output looks like that:

$ ggshield scan -v ci
CI_COMMIT_BEFORE_SHA: 0000000000000000000000000000000000000000
CI_COMMIT_SHA: xxxx
Commits to scan: 1
Scanning Commits
secrets-engine-version: 2.52.1
No secrets have been found
commit xxxx
Author: xxx xx [email protected]
Date: Fri Oct 15 14:53:41 2021 +0200
🛡️ ⚔️ 🛡️ 1 incident has been found in file slack_bot.py

Incident 1(Secrets detection): Slack Bot Token (Ignore with SHA: xxxx) (1 occurrence)
| @@ -0,0 +1,2 @
1 | def main():
2 | slack_key = "xxxx"

"No secrets have been found" appears in ggshield output.

Expected behavior

"No secrets have been found" should not appear when a secret is detected.

GitGuardian Shield Version

• I can reproduce this bug in the latest version

Command executed

• ggshield scan pre-commit
• ggshield quota
• Any ggshield command that uses Python Request

Describe the bug

GGShield uses environment variables but do not validate that the charset used can translate to latin-1 before trying to send a request.
This leads to the following opaque error:

UnicodeEncodeError: 'latin-1' codec can't encode characters in position 6-12: ordinal not in range(256)

For instance, using (Note that these are not ASCII dashes but U+2013 which cannot be encoded using .encode('latin-1')):

GITGUARDIAN_API_KEY=–––––––FILL-ME–––––––––

You get an encoding error.

Expected behavior

When using forbidden characters, a clear error should be provided to the end user. In the example above, this could be:

• Invalid API Key (to match the response that would have been returned by the server)
• GITGUARDIAN_API_KEY must only contains characters that can be encoded in latin-1
• ...

Screenshots

N/A

Traceback (if available)

Traceback (most recent call last):
  File "/home/mraguin/.local/bin/ggshield", line 8, in <module>
    sys.exit(cli_wrapper())
  File "/home/mraguin/.local/lib/python3.8/site-packages/ggshield/cmd.py", line 165, in cli_wrapper
    return_code = cli.main(standalone_mode=standalone_mode)
  File "/usr/lib/python3/dist-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3/dist-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3/dist-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3/dist-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/click/decorators.py", line 17, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/home/mraguin/.local/lib/python3.8/site-packages/ggshield/quota.py", line 18, in quota
    response: Union[Detail, QuotaResponse] = client.quota_overview()
  File "/home/mraguin/.local/lib/python3.8/site-packages/pygitguardian/client.py", line 307, in quota_overview
    resp = self.get(
  File "/home/mraguin/.local/lib/python3.8/site-packages/pygitguardian/client.py", line 177, in get
    return self.request(
  File "/home/mraguin/.local/lib/python3.8/site-packages/pygitguardian/client.py", line 129, in request
    response: Response = self.session.request(
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 387, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python3.8/http/client.py", line 1252, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.8/http/client.py", line 1293, in _send_request
    self.putheader(hdr, value)
  File "/usr/lib/python3.8/http/client.py", line 1225, in putheader
    values[i] = one_value.encode('latin-1')

Is your feature request related to a problem? Please describe.

Add --exclude as a repeatable option to ignore files from a scan without using .gitguardian.yaml

Describe the solution you'd like

• Add --exclude as a repeatable option to scan command
• Populate banlist patterns with these (merge with config's if available)
• Test that both are applied

I'm not sure where to write about this situation, but decided I'll try here.

I got an email referencing this repo describing that a secret had been exposed in a repo I manage. The referenced exposed secret was actually encrypted by mozilla/sops as intended, so I assume a false positive triggered the email.

Curious about this project I read up a bit and considered debugging this, I read that an API key was required, but decided against trying to get one since it led to a request to "Act on your behalf". I'm generally concerned about why that was requested.

I hope this experience is relevant for you to be aware about.

Email	API key required

We are missing a simple upgrade section in the README.

Export Slack block JSON

What

Implement support for Slack json block output.

https://app.slack.com/block-kit-builder/

Why

So it's easy to curl the output of ggshield directly to a slack and get a nice display

Command

ggshield scan --output-type=slack ci

ggshield scan --output-type=text ci

ggshield scan --output-type=json ci

Definition of Done

• Slack output handler
• --json ported to --output-type ( if not done already)

Is your feature request related to a problem? Please describe.

Add option to all commands to ignore ssl verify

Describe the solution you'd like

--allow-self-signed option in CLI

allow-self-signed in conf file

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

docker save can be slow

Definition of Done

• Display to users spinner while docker save is running on ggshield scan docker

Hi thanks for your tool and work! Another great find.

I wanted to use gitguardian in my personal gitlab-ci project. Your docs are easy to find and amazing in the readme.md
But upon clicking the 'add GG Api key' i was told: "GitLab integration is not available under your current plan."
Sad, I wish I could use this tool for free with limited functionalities to test and see if it's worth it to upgrade!

My proposal is to add the following to the readme per tool section:

this requires the business plan

or at least tell users it's not free at all. Which I thought it was.

Anyways tell me what you think of this nitpick change.

Take care!

I'd like to request that a CLI argument be added to ggshield that will return version information.

According to the documentation on PyPI, GGShield pre-push hooks will scan up to 100 commits:

https://pypi.org/project/ggshield/

Pre-push hooks will not scan more than a 100 commits to avoid developer interruption. In case there are more than a 100 commits in a push the hook will be skipped.

In practice there appears to be a 50 commit limit:

% ggshield --version
ggshield, version 1.8.1
% git push -u origin feature/my-new-big-branch
New tree event. Scanning last 50 commits.
Too many commits. Scanning last 50 commits

Scanning Commits  [####################################]  100% 
...

does the software find errors, but why not create an automatic pull request for the fix?

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

• After a first call to the API is made, store the returned gg-secrets-engine-version header in a global variable that can be accessed by any part of ggshield (to be implemented in py-gitguardian)

• After a first call to the API is made, store the returned gg-app-version header in a global variable that can be accessed by any part of ggshield (to be implemented in py-gitguardian)

Deliverables:

• Print the version of gg-secrets-engine at the beginning of the results (if there are results)
• Return these versions on troubleshooting prompts
• implement gg-shield api-status to return app and api version and if it's healthy (health is already available in py-gitguardian)

Output for api-status for healthy API:

status: healthy
app-version: v1.2
secrets-engine-version: v1.23

Output for api-status for unhealthy API (returns 4XX-5XX):

status: unhealthy (<detail>)
app-version: unknown
secrets-engine-version: unknown

Add zipapp support.

Why

• Distribution as a pyz makes installation easier on pre-receive environment

Definition of Done

• add zipapp support to ggshield
• automatically upload .pyz archive on every release

As an example I have a key in my doku repo, but it's invalid. (and I mentioned it).
Now I get a false positive alert.

Please provide details how to handle this when using gg-shield to avoid false positives.

I got the this email today, when I click "Generic Private Key".
I got 404 error, the link redirection to here, but the correct page is here.

Export CSV

What

Implement support for CSV output.

Why

CSV is used as a reporting format

Command

ggshield scan --output-type=csv ci

ggshield scan --output-type=text ci

ggshield scan --output-type=json ci

Definition of Done

• CSV output handler
• --json ported to --output-type ( if not done already)
• text (default) added to --output-type ( if not done already)

When there are too many commits in the pre-push/pre-commit hook or we can't determine the range, as a compromise we should scan the last X commits according to a user config in .gitguardian.yml .

Option: max-commits-for-hook
Default: 50

I don't want to use your service. Stop emailing me.

djmitche/taskcluster@508879f#diff-6bec6ff2931ad8ff63611cd4919dd43eL810 is a 64-byte base64-encoded value produced by hmac with sha512. It's not an Azure storage account key, as is the case for the vast majority of 64-byte base64-encoded values. This is a false positive.

Please add ggshield to nixpkgs: https://github.com/NixOS/nixpkgs#contributing

This will allow people using the Nix package manager to install ggshield, including the ability to automatically download ggshield when they clone a repository that uses it ( https://nixos.wiki/wiki/Development_environment_with_nix-shell ).

Input: Amazon S3

What

Implement support for Amazon S3 input.

Why

Lots of things to scan on S3

• backups
• logs
• dumps

Command

ggshield scan s3 <s3://target_bucket[/filepath]/>

Definition of Done

• S3 scanning (full and partial)

GitGuardian Shield Version

ggshield's version is 1.8.2

Command executed

git push

Describe the bug

I get this error "Error: Unhandled exception: 'utf-8' codec can't decode byte 0xc3 in position 27183: invalid continuation byte" when I try to execute the "git push" command.

Expected behavior

When running "git push", ggshield scans the source code automatically.

Screenshots

Traceback (if available)
None.

GitGuardian Shield Version

• I can reproduce this bug in the latest version

Command executed

ggshield scan --json path x.py

Describe the bug

line is offset by 1 🤦

Expected behavior

line is not offset by 1 🤷

Screenshots

Add any other context about the problem here.

Executing ggshield from the root of a Unix/Linux filesystem results in the following stack trace:

$ cd /
$ ggshield --help
Traceback (most recent call last):
  File "/usr/local/bin/ggshield", line 5, in <module>
    from ggshield.cmd import cli_wrapper
  File "/usr/local/lib/python3.9/site-packages/ggshield/cmd.py", line 10, in <module>
    from ggshield.output import JSONHandler, OutputHandler, TextHandler
  File "/usr/local/lib/python3.9/site-packages/ggshield/output/__init__.py", line 1, in <module>
    from .json import JSONHandler
  File "/usr/local/lib/python3.9/site-packages/ggshield/output/json/__init__.py", line 1, in <module>
    from .json_output import JSONHandler
  File "/usr/local/lib/python3.9/site-packages/ggshield/output/json/json_output.py", line 8, in <module>
    from ggshield.output.output_handler import OutputHandler
  File "/usr/local/lib/python3.9/site-packages/ggshield/output/output_handler.py", line 3, in <module>
    from ggshield.scan import Result, ScanCollection
  File "/usr/local/lib/python3.9/site-packages/ggshield/scan/__init__.py", line 1, in <module>
    from .scannable import Commit, File, Files, Result, ScanCollection
  File "/usr/local/lib/python3.9/site-packages/ggshield/scan/scannable.py", line 11, in <module>
    from ggshield.config import CPU_COUNT, MAX_FILE_SIZE, Cache
  File "/usr/local/lib/python3.9/site-packages/ggshield/config.py", line 13, in <module>
    from .git_shell import get_git_root, is_git_dir
  File "/usr/local/lib/python3.9/site-packages/ggshield/git_shell.py", line 23, in <module>
    GIT_PATH = get_git_path(os.getcwd())
  File "/usr/local/lib/python3.9/site-packages/ggshield/git_shell.py", line 18, in get_git_path
    raise Exception("unable to find git executable in PATH/PATHEXT")
Exception: unable to find git executable in PATH/PATHEXT

The issue is here:

https://github.com/GitGuardian/gg-shield/blob/main/ggshield/git_shell.py#L17

git_path = str(which("git"))

if cwd in git_path and cwd not in os.environ.get("PATH", "").split(os.pathsep):

I'm not sure the history of that code but it seems overly complex as which() returns None if the executable is not found.

GitGuardian Shield Version

• I can reproduce this bug in the latest version

Command executed

ggshield scan ci

Describe the bug

• If there are merge commits present ggshield tries to parse them resulting in empty files being sent

ggshield scan -o gitguardian_report.json --json ci || exit 0
Scanning Commits
Error scanning. Results may be incomplete.
Add the following files to your paths-ignore:
- : filename:: [ErrorDetail(string='This field may not be blank.', code='blank')]
Error scanning. Results may be incomplete.
Add the following files to your paths-ignore:
- : filename:: [ErrorDetail(string='This field may not be blank.', code='blank')]
Error scanning. Results may be incomplete.
Add the following files to your paths-ignore:
- : filename:: [ErrorDetail(string='This field may not be blank.', code='blank')]
Error scanning. Results may be incomplete.
Add the following files to your paths-ignore:
- : filename:: [ErrorDetail(string='This field may not be blank.', code='blank')]
Error scanning. Results may be incomplete.
Add the following files to your paths-ignore:
- : filename:: [ErrorDetail(string='This field may not be blank.', code='blank')]
Error scanning. Results may be incomplete.
Add the following files to your paths-ignore:
- : filename:: [ErrorDetail(string='This field may not be blank.', code='blank')]
Error scanning. Results may be incomplete.
Add the following files to your paths-ignore:
- : filename:: [ErrorDetail(string='This field may not be blank.', code='blank')]
Error scanning. Results may be incomplete.
Add the following files to your paths-ignore:
- : filename:: [ErrorDetail(string='This field may not be blank.', code='blank')]

Expected behavior

Merge commits should be ignored